name: Build valia-sites-sync # ADR-0002 + ADR-0018: infra-owned image built off-infra on GHA → ghcr (public). # Rclone + wrangler runner for the Valia-sites Content-folder mirror CronJob. # Rebuilds are rare (tool pins only change deliberately) → dispatch + path. # Security note: no untrusted event inputs are interpolated anywhere (only # github.actor / github.sha / GITHUB_TOKEN — same shape as the other # build-*.yml workflows in this repo). on: push: branches: [master] paths: - 'stacks/valia-sites/sync-image/**' workflow_dispatch: {} permissions: contents: read packages: write jobs: build: runs-on: ubuntu-latest steps: - uses: actions/checkout@v4 - uses: docker/setup-buildx-action@v3 - uses: docker/login-action@v3 with: registry: ghcr.io username: ${{ github.actor }} password: ${{ secrets.GITHUB_TOKEN }} - uses: docker/build-push-action@v6 with: context: stacks/valia-sites/sync-image platforms: linux/amd64 provenance: false push: true tags: | ghcr.io/viktorbarzin/valia-sites-sync:latest ghcr.io/viktorbarzin/valia-sites-sync:${{ github.sha }}